Networks -- CS 125


CS 125 Lab - Arp


Due date: Check the course for the due date.

Introduction

In this lab, you will use Wireshark to observe the ARP protocol in action.

Goals

Acknowledgments

This lab is based on a earlier Mike Erlinger's lab on observing ARP with Wireshark, which is in turn based on a lab from Kurose and Ross's Computer Networking

References

Logistics

You are to work in pairs. You will see that each step is divided into DO and ANSWER. Where DO is a step that may or may not require uploading a screen shot, i.e., proof that you did and understood this step. Where ANSWER requires a written answer from you. This is the part that determines your Lab grade. In entering material in your Lab Report, be sure to distinguish between DO and ANSWER.

Running the arp command may be problematic on some of the cs dept machines (protection issues). Let me or Tim know when you have access problems.

You may need to ask the system where arp is located...

Assignment

Part A: Looking at the ARP cache

  1. DO: Read the man page on arp: man 8 arp. If you think the discription is different than the lecture, let me know.

  2. DO: Invoke arp -a or -n to learn the contents of the workstation's ARP cache. Copy this into your lab notebook. ANSWER: Why are there so many entries?

  3. DO: Invoke arp -s. What happens? Are you surprised?

  4. DO: Invoke man 7 arp to read about the Linux ARP kernel module.
    ANSWER: What is the default amount of time that an ARP entry remains in the cache before being removed?

  5. ANSWER: What is the default amount of time that an entry remains in your ARP cache before being removed?

  6. As you now know, The command arp -s IPAddr EtherAddr allows you to manually add an entry to the ARP cache.
    ANSWER: What happens if you get the IP address correct, but mess up the Ethernet Address?

  7. DO: Read the man page for the arping program. Try it

  8. DO: (probably hard to do) Identify another host on the network that is not your workstation and not already in your ARP cache, such as wilkes.cs.hmc.edu. (You can use arp, with no command-line arguments, to see the names of hosts in your ARP cache.) What host did you choose? Use nslookup to find its IP address.

Part B: Tracing ARP

  1. DO: Clear you ARP cache. ANSWER: How did you do it?

  2. Start Wireshark and begin a trace. 

  3. Use arping to send exactly one ARP request to your chosen host.

  4. Stop the Wireshark trace.

  5. Use the arp program to verify that your chosen host is now in the ARP cache. (Note that it will time out fairly quickly---If you don't see it, try arping again without tracing in Wireshark.)

  6. Tell Wireshark to show only protocols below IP.

  7. Find the ARP request message from your workstation to the chosen host.

    1. What are the hex values for the source and destination addresses in the Ethernet frame containing the ARP request message?

    2. What do the 1 bits mean within the Flag Field?

    3. Give the hex value for the two-byte Ethernet frame type field.

    4. What is the ARP opcode? How many bytes into the Ethernet frame does it appear? 

    5. What are the four addresses in the ARP request? Why do you think that particular value was used for the target MAC address?

  8. Find the ARP response message.

    1. What is the value of the opcode field?

    2. Where in the ARP response does the "answer" to the the ARP request appear?

  9. Do you see other ARP messages in your trace? About how many? Are the addresses from these messages in your ARP cache? Why or why not?

  10. Clear (if possible) your ARP cache again; do nothing for 2 minutes; and then print out your ARP cache. Why does your ARP cache have entries in it?

  11. Quit Wireshark. Verify that the chosen host has timed out of the ARP cache.

Advice & Hints

I have no particular advice. If you think of anything, let me know!

Lab Notebook

In your lab notebook, include the requested output and your answers to questions from parts A and B, as well as answers to the discussion questions.

Discussion Questions

  1. Based on the contents of the ARP cache, what seems to be the range of addresses that your workstation considers to be on its local area network? What would the netmask be? Try using ifconfig to test your hypothesis. After you've done so, go on-line and see if you can find any information on the CINE assignment of addresses or HMC's assignment policy.

  2. What do you think of the style of RFC 826 versus any later RFCs you've looked at?

  3. About how long did this lab take to complete?

Grading

There is no A option for this lab. But I am willing to add one: make up 3 tasks to do with either arp or Wireshark. Provide me the problem write-up and and your answers. Highlight this material (somehow) on your lab notebook.

Mike Erlinger

Last Modified Tuesday, 01-Oct-2019 13:13:36 PDT